AEPD (Spain) - EXP202306260

From GDPRhub
AEPD - EXP202306260
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started: 14.04.2021
Decided: 27.12.2023
Published:
Fine: 6,500,000 EUR
Parties: The Phone House Spain
National Case Number/Name: EXP202306260
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Ao

The DPA fined a telecommunications company a total of €6,500,000 after a cyberattack affecting 13,000,000 people showed that the controller hadn't implemented adequate measures to protect the personal data of their customers, suppliers and employees.

English Summary

Facts

On 14 April 2021, the Spanish DPA (AEPD) received a notification of a personal data breach registered by the controller, a telecommunications provider.

The Security Breach Assessment Report showed that approximately 13,000,000 people were affected by the data breach. The attackers downloaded a database containing the personal data of clients, former clients, suppliers and employees of the controller and published the information on a public website. The personal data included names, ID numbers, postal addresses, email addresses, mobile numbers, nationality, sex, dates of birth, bank account numbers as well as employment details of employees.

The controller stored the data in plain text without any pseudonimisation or anonymisation measures in place.

The controller argued that adequate measures were in place and that the attack could not have been prevented due to the technical expertise of the cyber attackers. Crucially the controller submitted that there is no relationship between the alleged inadequacy and the data breach as more robust measures could not have prevented the attack. Therefore, no causal link could be established between the actions of the controller and the incident. The controller firmly posited itself as a victim of an unforeseen attack and argued that every security system shows room for improvement but that Article 5(1)(f) GDPR cannot be interpreted as an obligation of a specific result.

Holding

The AEPD clarifies that Article 5(1)(f) GDPR is violated if there is a personal data breach regardless of whether the breach was caused due to the absence or deficiency of security measures. In its capacity as a controller for large amounts of personal data concerning a large number of people, the controller should have foreseen the risks and implemented measures which could have prevented the cyberattack.

As aggravating factors, the AEPD highlights the amount of personal data leaked and the number of people affected by the breach. Further, it highlighted that a Data Protection Impact Assessment of 2018 which was submitted by the controller, listed precisely those shortcoming in the security system which then enabled the data breach. The failure to remedy these issues over a period of two years clearly demonstrated negligent behaviour on the part of the controller for the AEPD.

Mitigating factors were that the controller drew no benefit from the data breach and that the controller diligently notified the AEPD of the data breach.

The AEPD imposed a fine of €4,000,000 for the infringement of Article 5(1)(f) GDPR and a fine of €2,500,000 for the infringement of Article 32 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.